[Freeipa-devel] [freeipa PR#6077][opened] ipatests: fix get_user_result method
URL: https://github.com/freeipa/freeipa/pull/6077 Author: flo-renaud Title: #6077: ipatests: fix get_user_result method Action: opened PR body: """ Because the sidgen plugin is a postop plugin, it is not always triggered before the result of an ADD is returned and the objectclasses of the user may / may not contain ipantuserattrs. Fix the get_user_result method to work in all the cases. Related: https://pagure.io/freeipa/issue/8995 Signed-off-by: Florence Blanc-Renaud """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/6077/head:pr6077 git checkout pr6077 From 4d7b17fe2ba9898fb544a081175022b32d4b2793 Mon Sep 17 00:00:00 2001 From: Florence Blanc-Renaud Date: Wed, 10 Nov 2021 10:54:37 +0100 Subject: [PATCH] ipatests: fix get_user_result method Because the sidgen plugin is a postop plugin, it is not always triggered before the result of an ADD is returned and the objectclasses of the user may / may not contain ipantuserattrs. Fix the get_user_result method to work in all the cases. Related: https://pagure.io/freeipa/issue/8995 Signed-off-by: Florence Blanc-Renaud --- ipatests/test_xmlrpc/test_user_plugin.py | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/ipatests/test_xmlrpc/test_user_plugin.py b/ipatests/test_xmlrpc/test_user_plugin.py index b093a9f2b2d..58996b2132e 100644 --- a/ipatests/test_xmlrpc/test_user_plugin.py +++ b/ipatests/test_xmlrpc/test_user_plugin.py @@ -38,7 +38,7 @@ assert_deepequal, assert_equal, assert_not_equal, raises) from ipatests.test_xmlrpc.xmlrpc_test import ( XMLRPC_test, fuzzy_digits, fuzzy_uuid, fuzzy_password, -fuzzy_user_or_group_sid, +fuzzy_user_or_group_sid, fuzzy_set_optional_oc, Fuzzy, fuzzy_dergeneralizedtime, raises_exact) from ipapython.dn import DN from ipapython.ipaldap import ldap_initialize @@ -1179,7 +1179,8 @@ def get_user_result(uid, givenname, sn, operation='show', omit=[], initials=[givenname[0] + (sn or '')[:1]], ipauniqueid=[fuzzy_uuid], mepmanagedentry=[get_group_dn(uid)], -objectclass=objectclasses.user, +objectclass=fuzzy_set_optional_oc( +objectclasses.user, 'ipantuserattrs'), krbprincipalname=[u'%s@%s' % (uid, api.env.realm)], krbcanonicalname=[u'%s@%s' % (uid, api.env.realm)], ) ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-devel] [freeipa PR#6077][closed] ipatests: fix get_user_result method
URL: https://github.com/freeipa/freeipa/pull/6077 Author: flo-renaud Title: #6077: ipatests: fix get_user_result method Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/6077/head:pr6077 git checkout pr6077 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-devel] [freeipa PR#6078][opened] [Backport][ipa-4-9] ipatests: fix get_user_result method
URL: https://github.com/freeipa/freeipa/pull/6078 Author: flo-renaud Title: #6078: [Backport][ipa-4-9] ipatests: fix get_user_result method Action: opened PR body: """ This PR was opened automatically because PR #6077 was pushed to master and backport to ipa-4-9 is required. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/6078/head:pr6078 git checkout pr6078 From 7c1c7cc1a7e54e18c9c38204a7a56f3f5efa7687 Mon Sep 17 00:00:00 2001 From: Florence Blanc-Renaud Date: Wed, 10 Nov 2021 10:54:37 +0100 Subject: [PATCH] ipatests: fix get_user_result method Because the sidgen plugin is a postop plugin, it is not always triggered before the result of an ADD is returned and the objectclasses of the user may / may not contain ipantuserattrs. Fix the get_user_result method to work in all the cases. Related: https://pagure.io/freeipa/issue/8995 Signed-off-by: Florence Blanc-Renaud --- ipatests/test_xmlrpc/test_user_plugin.py | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/ipatests/test_xmlrpc/test_user_plugin.py b/ipatests/test_xmlrpc/test_user_plugin.py index b093a9f2b2d..58996b2132e 100644 --- a/ipatests/test_xmlrpc/test_user_plugin.py +++ b/ipatests/test_xmlrpc/test_user_plugin.py @@ -38,7 +38,7 @@ assert_deepequal, assert_equal, assert_not_equal, raises) from ipatests.test_xmlrpc.xmlrpc_test import ( XMLRPC_test, fuzzy_digits, fuzzy_uuid, fuzzy_password, -fuzzy_user_or_group_sid, +fuzzy_user_or_group_sid, fuzzy_set_optional_oc, Fuzzy, fuzzy_dergeneralizedtime, raises_exact) from ipapython.dn import DN from ipapython.ipaldap import ldap_initialize @@ -1179,7 +1179,8 @@ def get_user_result(uid, givenname, sn, operation='show', omit=[], initials=[givenname[0] + (sn or '')[:1]], ipauniqueid=[fuzzy_uuid], mepmanagedentry=[get_group_dn(uid)], -objectclass=objectclasses.user, +objectclass=fuzzy_set_optional_oc( +objectclasses.user, 'ipantuserattrs'), krbprincipalname=[u'%s@%s' % (uid, api.env.realm)], krbcanonicalname=[u'%s@%s' % (uid, api.env.realm)], ) ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-devel] [freeipa PR#6078][closed] [Backport][ipa-4-9] ipatests: fix get_user_result method
URL: https://github.com/freeipa/freeipa/pull/6078 Author: flo-renaud Title: #6078: [Backport][ipa-4-9] ipatests: fix get_user_result method Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/6078/head:pr6078 git checkout pr6078 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-devel] [freeipa PR#6076][closed] Harden PAC processing
URL: https://github.com/freeipa/freeipa/pull/6076 Author: abbra Title: #6076: Harden PAC processing Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/6076/head:pr6076 git checkout pr6076 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-devel] [freeipa PR#6079][opened] [Backport][ipa-4-9] Harden PAC processing
URL: https://github.com/freeipa/freeipa/pull/6079 Author: rcritten Title: #6079: [Backport][ipa-4-9] Harden PAC processing Action: opened PR body: """ This PR was opened automatically because PR #6076 was pushed to master and backport to ipa-4-9 is required. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/6079/head:pr6079 git checkout pr6079 From 47cdf83ae163676c923b333d5c9a5dccd1fb4a4d Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Tue, 28 Sep 2021 10:24:32 +0300 Subject: [PATCH 1/9] ipa-kdb: store SID in the principal entry If the principal entry in LDAP has SID associated with it, store it to be able to quickly assess the SID when processing PAC. Also rename string_to_sid to IPA-specific version as it uses different prototype than Samba version. Fixes: https://pagure.io/freeipa/issue/9031 Signed-off-by: Alexander Bokovoy Reviewed-by: Andreas Schneider Reviewed-by: Robert Crittenden --- daemons/ipa-kdb/ipa_kdb.h | 7 ++ daemons/ipa-kdb/ipa_kdb_mspac.c | 31 ++--- daemons/ipa-kdb/ipa_kdb_mspac_private.h | 1 - daemons/ipa-kdb/ipa_kdb_principals.c| 25 daemons/ipa-kdb/tests/ipa_kdb_tests.c | 30 5 files changed, 69 insertions(+), 25 deletions(-) diff --git a/daemons/ipa-kdb/ipa_kdb.h b/daemons/ipa-kdb/ipa_kdb.h index 66a1d74f138..884dff9500b 100644 --- a/daemons/ipa-kdb/ipa_kdb.h +++ b/daemons/ipa-kdb/ipa_kdb.h @@ -79,6 +79,7 @@ #define IPA_USER_AUTH_TYPE "ipaUserAuthType" struct ipadb_mspac; +struct dom_sid; enum ipadb_user_auth { IPADB_USER_AUTH_NONE = 0, @@ -155,6 +156,8 @@ struct ipadb_e_data { bool has_tktpolaux; enum ipadb_user_auth user_auth; struct ipadb_e_pol_limits pol_limits[IPADB_USER_AUTH_IDX_MAX]; +bool has_sid; +struct dom_sid *sid; }; struct ipadb_context *ipadb_get_context(krb5_context kcontext); @@ -366,3 +369,7 @@ int ipadb_get_enc_salt_types(struct ipadb_context *ipactx, LDAPMessage *entry, /* CERTAUTH PLUGIN */ void ipa_certauth_free_moddata(krb5_certauth_moddata *moddata); #endif + +int ipadb_string_to_sid(const char *str, struct dom_sid *sid); +void alloc_sid(struct dom_sid **sid); +void free_sid(struct dom_sid **sid); \ No newline at end of file diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c index 47b12a16f33..f3e8657c27d 100644 --- a/daemons/ipa-kdb/ipa_kdb_mspac.c +++ b/daemons/ipa-kdb/ipa_kdb_mspac.c @@ -80,7 +80,20 @@ static char *memberof_pac_attrs[] = { #define AUTHZ_DATA_TYPE_PAD "PAD" #define AUTHZ_DATA_TYPE_NONE "NONE" -int string_to_sid(const char *str, struct dom_sid *sid) +void alloc_sid(struct dom_sid **sid) +{ +*sid = malloc(sizeof(struct dom_sid)); +} + +void free_sid(struct dom_sid **sid) +{ +if (sid != NULL && *sid != NULL) { +free(*sid); +*sid = NULL; +} +} + +int ipadb_string_to_sid(const char *str, struct dom_sid *sid) { unsigned long val; const char *s; @@ -372,7 +385,7 @@ static krb5_error_code ipadb_add_asserted_identity(struct ipadb_context *ipactx, /* For S4U2Self, add Service Asserted Identity SID * otherwise, add Authentication Authority Asserted Identity SID */ -ret = string_to_sid((flags & KRB5_KDB_FLAG_PROTOCOL_TRANSITION) ? +ret = ipadb_string_to_sid((flags & KRB5_KDB_FLAG_PROTOCOL_TRANSITION) ? "S-1-18-2" : "S-1-18-1", arr[sidcount].sid); if (ret) { @@ -655,7 +668,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx, /* SID is mandatory */ return ret; } -ret = string_to_sid(strres, &sid); +ret = ipadb_string_to_sid(strres, &sid); free(strres); if (ret) { return ret; @@ -700,7 +713,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx, } } if (strcasecmp(dval->type, "ipaNTSecurityIdentifier") == 0) { -ret = string_to_sid((char *)dval->vals[0].bv_val, &gsid); +ret = ipadb_string_to_sid((char *)dval->vals[0].bv_val, &gsid); if (ret) { continue; } @@ -1189,7 +1202,7 @@ static int map_groups(TALLOC_CTX *memctx, krb5_context kcontext, } if (strcasecmp(dval->type, "ipaNTSecurityIdentifier") == 0) { -kerr = string_to_sid((char *)dval->vals[0].bv_val, &sid); +kerr = ipadb_string_to_sid((char *)dval->vals[0].bv_val, &sid); if (kerr != 0) { continue; } @@ -2434,7 +2447,7 @@ ipadb_adtrusts_fill_sid_blacklist(char **source_sid_blacklist,